Hello community, here is the log from the commit of package libXv.1727 for openSUSE:12.3:Update checked in at 2013-06-14 16:51:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/libXv.1727 (Old) and /work/SRC/openSUSE:12.3:Update/.libXv.1727.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXv.1727" Changes: -------- New Changes file: --- /dev/null 2013-06-12 16:57:03.272031756 +0200 +++ /work/SRC/openSUSE:12.3:Update/.libXv.1727.new/libXv.changes 2013-06-14 16:51:48.000000000 +0200 @@ -0,0 +1,130 @@ +------------------------------------------------------------------- +Mon Jun 3 09:43:31 UTC 2013 - [email protected] + +- U_0001-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch, + U_0002-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch, + U_0003-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch + * integer overflow in XvQueryPortAttributes(), XvListImageFormats(), + XvCreateImage() [CVE-2013-1989] (bnc#821671, bnc#815451) +- U_0001-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch + * buffer overflow in XvQueryPortAttributes() [CVE-2013-2066] + (bnc#821671, bnc#815451) + +------------------------------------------------------------------- +Wed Apr 11 15:26:37 UTC 2012 - [email protected] + +- Update to version 1.0.7: + + Janitorial cleanups + + Man page fix + + Build configuration improvements + +------------------------------------------------------------------- +Sun Feb 12 01:53:35 UTC 2012 - [email protected] + +- Rename xorg-x11-libXv to libXv and utilize shlib policy + +------------------------------------------------------------------- +Tue Dec 21 02:48:40 UTC 2010 - [email protected] + +- bumped version number to 7.6 + +------------------------------------------------------------------- +Sat Oct 30 15:47:53 UTC 2010 - [email protected] + +- libXv 1.0.6 + * This minor maintenance release provides the usual recent + collection of build configuration improvements and janitorial + cleanups. + +------------------------------------------------------------------- +Sun Apr 4 15:59:29 CEST 2010 - [email protected] + +- libXv 1.0.5 +- bumped version number to 7.5 + +------------------------------------------------------------------- +Mon Dec 14 20:00:15 CET 2009 - [email protected] + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Sat May 2 14:42:17 CEST 2009 - [email protected] + +- revert static library and .la file removal + for SUSE versions <= 11.1. + +------------------------------------------------------------------- +Tue Apr 21 19:14:41 CEST 2009 - [email protected] + +- remove static libraries and "la" files + +------------------------------------------------------------------- +Thu Sep 11 14:22:15 CEST 2008 - [email protected] + +- bumped release number to 7.4 + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - [email protected] + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Tue Mar 18 10:25:10 CET 2008 - [email protected] + +- libXv 1.0.4 + * nuke RCS Ids + * get rid of ancient XFree86 CVS Id tags + * convert manpages prototypes to C ANSI format + +------------------------------------------------------------------- +Sat Jan 12 04:18:22 CET 2008 - [email protected] + +- fix library-without-ldconfig* errors +- PreReq coreutils in -devel package + +------------------------------------------------------------------- +Sat Sep 29 12:24:03 CEST 2007 - [email protected] + +- bumped version to 7.3 + +------------------------------------------------------------------- +Mon Dec 18 11:01:39 CET 2006 - [email protected] + +- updated to release 1.0.3 + * Makefile.am: make ChangeLog hook safer + +------------------------------------------------------------------- +Thu Oct 26 07:29:10 CEST 2006 - [email protected] + +- set version to 7.2 in specfile + +------------------------------------------------------------------- +Mon Oct 9 15:48:29 CEST 2006 - [email protected] + +- updated to release 1.0.2: + * Minor cleanup release - fixes to documentation, lint/sparse + warning cleanups, and closed a small memory leak Coverity + found in the out-of-memory error handling path. + +------------------------------------------------------------------- +Wed Aug 2 16:12:37 CEST 2006 - [email protected] + +- fix setup line + +------------------------------------------------------------------- +Fri Jul 28 14:44:56 CEST 2006 - [email protected] + +- use "-fno-strict-aliasing" + +------------------------------------------------------------------- +Thu Jul 27 11:48:13 CEST 2006 - [email protected] + +- use $RPM_OPT_FLAGS +- remove existing /usr/include/X11 symlink in %pre + +------------------------------------------------------------------- +Sat Jun 24 07:15:45 CEST 2006 - [email protected] + +- created package + New: ---- U_0001-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch U_0001-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch U_0002-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch U_0003-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch baselibs.conf libXv-1.0.7.tar.bz2 libXv.changes libXv.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXv.spec ++++++ # # spec file for package libXv # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libXv %define lname libXv1 Version: 1.0.7 Release: 0 Summary: X Video extension library License: MIT Group: Development/Libraries/C and C++ Url: http://xorg.freedesktop.org/ #Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXv #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXv/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 # CVE-2013-1989 Patch0: U_0001-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch Patch1: U_0002-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch Patch2: U_0003-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch # CVE-2013-2066 Patch3: U_0001-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkgconfig BuildRequires: pkgconfig(videoproto) BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(xext) BuildRequires: pkgconfig(xextproto) BuildRequires: pkgconfig(xorg-macros) >= 1.8 %description The X Video Extension (Xv) extension provides support for video adaptors attached to an X display. It takes the approach that a display may have one or more video adaptors, each of which has one or more ports through which independent video streams pass. %package -n %lname Summary: X Video extension library Group: System/Libraries # O/P added for 12.2 Provides: xorg-x11-libXv = 7.6_%version-%release Obsoletes: xorg-x11-libXv < 7.6_%version-%release %description -n %lname The X Video Extension (Xv) extension provides support for video adaptors attached to an X display. It takes the approach that a display may have one or more video adaptors, each of which has one or more ports through which independent video streams pass. Its use is to rescale video playback, do colorspace conversions, and change contrast, brightness and hue using video controller hardware acceleration. %package devel Summary: Development files for the X Video extension library Group: Development/Libraries/C and C++ Requires: %lname = %version # O/P added for 12.2 Provides: xorg-x11-libXv-devel = 7.6_%version-%release Obsoletes: xorg-x11-libXv-devel < 7.6_%version-%release %description devel The X Video Extension (Xv) extension provides support for video adaptors attached to an X display. It takes the approach that a display may have one or more video adaptors, each of which has one or more ports through which independent video streams pass. This package contains the development headers for the library found in %lname. %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %build %configure --disable-static make %{?_smp_mflags} %install %makeinstall rm -f "%buildroot/%_libdir"/*.la %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig %files -n %lname %defattr(-,root,root) %_libdir/libXv.so.1* %files devel %defattr(-,root,root) %_includedir/X11/* %_libdir/libXv.so %_libdir/pkgconfig/xv.pc %_mandir/man3/* %changelog ++++++ U_0001-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch ++++++ >From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <[email protected]> Date: Sat, 13 Apr 2013 00:16:14 -0700 Subject: [PATCH] buffer overflow in XvQueryPortAttributes() [CVE-2013-2066] Each attribute returned in the reply includes the number of bytes to read for its marker. We had been always trusting it, and never validating that it wouldn't cause us to write past the end of the buffer we allocated based on the reported text_size. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> --- src/Xv.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) Index: libXv-1.0.7/src/Xv.c =================================================================== --- libXv-1.0.7.orig/src/Xv.c +++ libXv-1.0.7/src/Xv.c @@ -849,14 +849,20 @@ XvQueryPortAttributes(Display *dpy, XvPo xvAttributeInfo Info; int i; + /* keep track of remaining room for text strings */ + size = rep.text_size; + for(i = 0; i < rep.num_attributes; i++) { _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo); ret[i].flags = (int)Info.flags; ret[i].min_value = Info.min; ret[i].max_value = Info.max; ret[i].name = marker; - _XRead(dpy, marker, Info.size); - marker += Info.size; + if (Info.size <= size) { + _XRead(dpy, marker, Info.size); + marker += Info.size; + size -= Info.size; + } (*num)++; } } else ++++++ U_0001-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch ++++++ >From 6e1b743a276651195be3cd68dff41e38426bf3ab Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <[email protected]> Date: Sat, 13 Apr 2013 00:03:03 -0700 Subject: [PATCH] integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3] The num_attributes & text_size members of the reply are both CARD32s and need to be bounds checked before multiplying & adding them together to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> --- src/Xv.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) Index: libXv-1.0.7/src/Xv.c =================================================================== --- libXv-1.0.7.orig/src/Xv.c +++ libXv-1.0.7/src/Xv.c @@ -50,6 +50,7 @@ SOFTWARE. */ #include <stdio.h> +#include <limits.h> #include "Xvlibint.h" #include <X11/extensions/Xext.h> #include <X11/extensions/extutil.h> @@ -835,9 +836,15 @@ XvQueryPortAttributes(Display *dpy, XvPo } if(rep.num_attributes) { - int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + unsigned long size; + /* limit each part to no more than one half the max size */ + if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) && + (rep.text_size < (INT_MAX / 2))) { + size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + ret = Xmalloc(size); + } - if((ret = Xmalloc(size))) { + if (ret != NULL) { char* marker = (char*)(&ret[rep.num_attributes]); xvAttributeInfo Info; int i; ++++++ U_0002-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch ++++++ >From 59301c1b5095f7dc6359d5b396dbbcdee7038270 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <[email protected]> Date: Sat, 13 Apr 2013 00:03:03 -0700 Subject: [PATCH] integer overflow in XvListImageFormats() [CVE-2013-1989 2/3] num_formats is a CARD32 and needs to be bounds checked before multiplying by sizeof(XvImageFormatValues) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> --- src/Xv.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) Index: libXv-1.0.7/src/Xv.c =================================================================== --- libXv-1.0.7.orig/src/Xv.c +++ libXv-1.0.7/src/Xv.c @@ -897,9 +897,10 @@ XvImageFormatValues * XvListImageFormats } if(rep.num_formats) { - int size = (rep.num_formats * sizeof(XvImageFormatValues)); + if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues))) + ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues)); - if((ret = Xmalloc(size))) { + if (ret != NULL) { xvImageFormatInfo Info; int i; ++++++ U_0003-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch ++++++ >From 50fc4cb18069cb9450a02c13f80223ef23511409 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <[email protected]> Date: Sat, 13 Apr 2013 00:03:03 -0700 Subject: [PATCH] integer overflow in XvCreateImage() [CVE-2013-1989 3/3] num_planes is a CARD32 and needs to be bounds checked before bit shifting and adding to sizeof(XvImage) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> --- src/Xv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) Index: libXv-1.0.7/src/Xv.c =================================================================== --- libXv-1.0.7.orig/src/Xv.c +++ libXv-1.0.7/src/Xv.c @@ -971,7 +971,10 @@ XvImage * XvCreateImage ( return NULL; } - if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) { + if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage))) + ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)); + + if (ret != NULL) { ret->id = id; ret->width = rep.width; ret->height = rep.height; ++++++ baselibs.conf ++++++ libXv1 provides "xorg-x11-libXv-<targettype> = 7.6_<version>" obsoletes "xorg-x11-libXv-<targettype> < 7.6_<version>" libXv-devel requires -libXv-<targettype> requires "libXv1-<targettype> = <version>" provides "xorg-x11-libXv-devel-<targettype> = 7.6_<version>" obsoletes "xorg-x11-libXv-devel-<targettype> < 7.6_<version>" -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
